You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@spark.apache.org by "Andrew Kyle Purtell (Jira)" <ji...@apache.org> on 2022/10/06 20:37:00 UTC

[jira] [Created] (SPARK-40681) Update gson transitive dependency to 2.8.9 or later

Andrew Kyle Purtell created SPARK-40681:
-------------------------------------------

             Summary: Update gson transitive dependency to 2.8.9 or later
                 Key: SPARK-40681
                 URL: https://issues.apache.org/jira/browse/SPARK-40681
             Project: Spark
          Issue Type: Bug
          Components: Spark Core
    Affects Versions: 3.3.0
            Reporter: Andrew Kyle Purtell


Spark 3.3 currently ships with GSON 2.8.6 and this should be managed up to 2.8.9 or later.

Versions of GSON prior to 2.8.9 are subject to [gson#1991|https://github.com/google/gson/pull/1991] , detected and reported by several flavors of static vulnerability assessment tools, at a fairly high score because it is a deserialization of untrusted data problem.

This issue is not meant to imply any particular security problem in Spark itself.

[INFO] org.apache.spark:spark-network-common_2.12:jar:3.3.2-SNAPSHOT
[INFO] +- com.google.crypto.tink:tink:jar:1.6.1:compile
[INFO] |  +- com.google.protobuf:protobuf-java:jar:2.5.0:compile
[INFO] |  \- com.google.code.gson:gson:jar:2.8.6:compile

[INFO] org.apache.spark:spark-hive_2.12:jar:3.3.2-SNAPSHOT
[INFO] +- org.apache.hive:hive-exec:jar:core:2.3.9:compile
[INFO] |  +- org.apache.hive:hive-vector-code-gen:jar:2.3.9:compile
[INFO] |  +- com.google.code.gson:gson:jar:2.2.4:compile





--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org